If you’re using Google in the UK, your data is about to move under U.S. jurisdiction thanks to Brexit.
Google is moving where it controls British user data from Ireland, where the company’s Europe headquarters is located, back to the U.S. following Britain’s exit from the EU.
The tech giant said that UK users will still be covered by the EU’s fierce General Data Protection Regulation (GDPR), which has been in effect since May 2018, and that nothing would change in terms of privacy management. But it’s not that straightforward.
“Like many companies, we have to prepare for Brexit,” said a Google spokesperson in a statement. “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”
The move was first reported by Reuters, which noted that Google will require British users to agree to new terms of service, which will include details of the new jurisdiction.
What does that really mean for British user data? While Google maintains that UK users will still enjoy that sweet, sweet hardcore GDPR protection, it will depend on Brexit negotiations over what that actually looks like at the end of the year.
There’s uncertainty over whether the UK will continue to act in accordance with GDPR (an EU regulation) post-Brexit. According to the Information Commissioner’s Office, GDPR will continue to apply in the UK during the transition period until the end of 2020.
After that? It depends on negotiations during this period.
“The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period,” reads the ICO FAQs. “However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period — so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.”
The Data Protection Act 2018, which currently supplements the GDPR within the UK, will continue to apply — and the GDPR is set to be incorporated into UK law alongside this Act.
If British user’s Google data is kept in Ireland and not moved to the U.S., British authorities will have a tough time gaining access to it if needed during investigations. The news outlet pointed to the Clarifying Lawful Overseas Use of Data (CLOUD) Act recently passed in the U.S., which could make things easier for British authorities to recover user data from American companies including Google.
On another note, moving UK user data to the U.S. has raised security concerns. Jim Killock, executive director of digital privacy advocacy organisation Open Rights Group, said in a press statement that the move makes bulk surveillance easier.
“Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens,” she said. “We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links.”
“Data protection rights will also become more fragile, and are likely to be attacked in trade agreements pushing ‘data flows’,” she continued.
“Google’s decision should worry everyone who think tech companies are too powerful and know too much about us. The UK must commit to European data protection standards, or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.”